[jbosstools-issues] [JBoss JIRA] (JBIDE-17284) OpenJDK seem to have issues with SSL/TLS handshakes when using URLConnection

Max Rydahl Andersen (JIRA) issues at jboss.org
Wed Jun 11 04:19:15 EDT 2014 

    [ https://issues.jboss.org/browse/JBIDE-17284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12975111#comment-12975111 ] 

Max Rydahl Andersen commented on JBIDE-17284:
---------------------------------------------

>From Rich Lucente:

I install jbds under /usr/share for a shared installation for all users.  Searching for native libraries reveals the following:

[root at rhel6vm2-rlucente ~]# cd /usr/share/jbdevstudio/
[root at rhel6vm2-rlucente jbdevstudio]# find . -type f -name '*.so'
./studio/plugins/org.eclipse.equinox.launcher.gtk.linux.x86_64_1.1.200.v20140116-2212/eclipse_1508.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libnssckbi.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libxul.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libnss3.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libsoftokn3.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libnspr4.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libssl3.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libfreebl3.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libnssdbm3.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libjavaxpcomglue.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libnssutil3.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libmozjs.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libxpcom.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libsmime3.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libplc4.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/libsqlite3.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/components/libimgicon.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/components/libmozgnome.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/components/libdbusservice.so
./studio/plugins/org.mozilla.xulrunner.gtk.linux.x86_64_1.9.2.19pre/xulrunner/components/libnkgnomevfs.so
[root at rhel6vm2-rlucente jbdevstudio]#

These include the nss and nspr libraries from the Mozilla Network Security Services.  What I think is happening is that during TLS negotiation, the github server is requesting elliptic curve encryption.  Java falls through the providers and settles on the SunPKCS11 which uses the NSS native libraries.  At this point there are a couple of possibilities.  One is that since I'm not installed in a user's home directory, I think that the dynamic library load order is a mix of /lib64 and the jbds native libraries.  The mismatch is causing SIGSEGV to occur.  Another possibility is that I'm missing packages that are normally installed with a Desktop profile, so I'm getting a mix of /lib64 and the jbds native libraries that is causing a SIGSEGV to occur.

One solution is to force the use of the JBDS libraries.  Another solution that I just tried is to ensure that the needed dependencies are installed with the latest versions in RHEL.  The package list I believe is needed is:

yum -y install nspr nss nss-softokn nss-softokn-freebl nss-util xulrunner

However, when I tried that I got a GConf error and the same SIGSEGV crash, so LD_LIBRARY_PATH, even though it's using older versions of NSS, seems to be the most stable workaround.

> OpenJDK seem to have issues with SSL/TLS handshakes when using URLConnection
> ----------------------------------------------------------------------------
>
>                 Key: JBIDE-17284
>                 URL: https://issues.jboss.org/browse/JBIDE-17284
>             Project: Tools (JBoss Tools)
>          Issue Type: Bug
>          Components: common/jst/core, openshift, upstream
>            Reporter: Max Rydahl Andersen
>            Priority: Critical
>             Fix For: 4.2.0.Beta3
>
>
> We've received multiple reports about instant crashes of users running JBoss Tools and Developer Studio.
> The common issue is that it happens when they use OpenJDK vm, not Oracle.
> The crash log normally contains something similar to:
> Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
> j  sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(J[Lsun/security/pkcs11/wrapper/CK_ATTRIBUTE;)J+0
> j  sun.security.pkcs11.P11ECKeyFactory.generatePublic(Ljava/security/spec/ECPoint;Ljava/security/spec/ECParameterSpec;)Ljava/security/PublicKey;+170
> j  sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(Ljava/security/spec/KeySpec;)Ljava/security/PublicKey;+80
> j  java.security.KeyFactory.generatePublic(Ljava/security/spec/KeySpec;)Ljava/security/PublicKey;+25
> j  sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(Lsun/security/ssl/HandshakeInStream;Ljava/security/PublicKey;[B[BLjava/util/Collection;Lsun/security/ssl/ProtocolVersion;)V+228
> Opening this bug to collect and use a key issue for hunting down the cause.
> Note: This issue is *not* specific to JBoss Tools as far as I can see, but it does affect us since we lookup a file located behind https url at key times which seem to trigger the crash.



--
This message was sent by Atlassian JIRA
(v6.2.3#6260)

More information about the jbosstools-issues mailing list